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This  Means  War!  (Maybe?) 

Clarifying  Casus  Belli  in  Cyberspace 

Of  course,  you  realize,  this  means  war! 

— Bugs  Bunny1 

When  the  long-eared  hero  of  animation  utters  the  above-borrowed2  phrase  or  a 
similar  one,3  it  is  always  in  response  to  a  provocation  whose  magnitude  leaves  no  doubt 
concerning  the  appropriateness  of  a  forceful  response.  The  statement  is  declaratory 
and  final.  It  invites  no  argument,  because  no  argument  is  possible.  The  invariably  clear 
casus  belli4  by  the  offending  character  provides  the  required  justification  for  the  ensuing 
retaliatory  mayhem. 

This  is  entertaining  and  lighthearted  in  the  imaginary  context  of  cartoons,  where 
no  amount  of  force  is  ever  permanently  harmful  or  lethal.  However,  the  requirement  to 
identify  adequately  acts  justifying  a  state’s  responsive  use  of  force  is  a  very  real  one 
with  potentially  lethal  consequences.  In  stark  contrast  to  the  bright  hues  of  cartoons, 
though,  this  analysis  often  occurs  in  a  gray  zone  of  uncertainty.  Nowhere  is  this 
uncertainty  more  prevalent  than  in  the  newest  war  fighting  domain5  of  cyberspace.6 

This  paper  argues  current  international  legal  norms  and  constructs  do  not 
adequately  address  what  constitutes  casus  belli  in  the  cyber  domain.  Consequently,  an 
initiating  state  may  unintentionally  invite  a  responsive  use  of  force  through  cyber  actions 
it  considers  far  short  of  the  triggering  threshold.  Within  the  current  ambiguity,  however, 
the  target  state  might  consider  those  actions  as  well  beyond  that  threshold.  Such 
divergent  viewpoints  may  result  in  open  warfare  between  the  two  states. 

This  paper  recommends  the  U.S.  adopt  certain  practices  to  reduce  this 
dangerous  ambiguity.  These  practices  include  more  open  acknowledgement  of  cyber 


actions  and  maintaining  a  clear  separation  between  a  state’s  cyber  attack/defense  and 
espionage  functions.  They  also  include  asserting  sovereign  control  over  certain  portions 
of  the  cyber  domain,  vigorously  protecting  those  areas,  and  increasing  the  reporting  of 
cyber  incidents. 

The  paper  begins  with  an  examination  of  the  current  norms  concerning  the  use  of 
force  between  states.  It  then  details  the  emerging  views  concerning  the  application  of 
these  norms  to  the  cyber  domain.  The  paper  goes  on  to  apply  these  norms  to  the  facts 
surrounding  recently  alleged  state-level  actions  in  the  cyber  domain.  Based  upon  the 
conclusions  drawn,  the  paper  then  presents  recommendations  for  the  U.S.  to  help 
remove  some  of  the  uncertainty  surrounding  assessments  of  cyber  operations  under 
international  law. 

Use  of  Force  and  International  Law 

Since  its  adoption  in  1945,  the  Charter  of  the  United  Nations  (U.N.)7  has  served 
as  the  aspirational  framework  for  relations  between  states.  That  it  has  often  failed  to 
restrain  the  conduct  of  certain  states  does  not  make  considering,  in  the  words  of 
Michael  Walzer,  “the  precise  meaning  of  the  Charter ...  a  kind  of  utopian  quibbling.”8 
To  the  contrary,  its  provisions  and  those  of  other  customary  international  law,  such  as 
the  Hague9  and  Geneva10  conventions,  have  a  very  real  effect.  As  Nye  and  Welch  put  it, 
“[S]uch  rules  put  a  burden  of  proof  on  those  who  break  them.”11 

Indeed,  the  very  reason  for  attempting  to  clarify  casus  belli  in  cyberspace  is  to 
provide  a  clear  standard  against  which  states  may  measure  their  own  behavior  and  that 
of  other  states  when  initiating  or  responding  to  cyber  actions.  While  states  may  use 
force  to  act  on  their  interests  in  ways  contrary  to  defined  international  norms,  they  do  so 
at  a  cost  to  their  legitimacy  and  prestige.12  They  also  run  the  risk  of  drawing  the 
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collective  ire  of  the  international  community,  which  may  opt  for  group  action  to  punish  or 
to  restore  the  status  quo  ante  to  ensure  the  offending  state  does  not  profit  from  its  rule 
breaking.13  Consequently,  the  first  order  question  is,  “What  are  the  baseline  rules?” 

In  Article  2,  the  U.N.  Charter  clearly  removes  the  use  of  force  from  the  repertoire 
of  legitimate  state  actions  in  the  normal  course  of  international  relations.  It  requires  U.N. 
members  to  “refrain  in  their  international  relations  from  the  threat  or  use  of  force  against 
the  territorial  integrity  or  political  independence  of  any  state,  or  in  any  other  manner 
inconsistent  with  the  Purposes  of  the  United  Nations.”14  Recognizing,  however,  non- 
compliance  by  some  states  is  possible  (if  not  inevitable),  the  Charter  details  two 
currently  relevant15  circumstances  when  a  responsive  use  of  force  is  acceptable. 

The  first  circumstance  occurs  when  the  U.N.  Security  Council  determines  “the 
existence  of  any  threat  to  the  peace,  breach  of  the  peace,  or  act  of  aggression”16  and 
authorizes  under  Article  42  “such  action  by  air,  sea,  or  land  forces  as  may  be  necessary 
to  maintain  or  restore  international  peace  and  security.”17  Authorization  for  this  type  of 
action  occurs  only  after  careful  deliberation.  This  mechanism  is  ill  suited  to  match  the 
speed  at  which  cyber  attacks  can  occur  and  at  which  an  effective  response  must 
sometimes  occur.18  Of  greater  relevance  to  the  cyber  domain  than  this  deliberative 
process  is  the  Charter  provision  allowing  acts  in  self-defense. 

Article  51  of  the  U.N.  Charter  permits  “individual  or  collective  self-defense  if  an 
armed  attack  occurs  against  a  Member.”19  In  his  volume,  Striking  First,  Doyle 
characterizes  this  as  “[t]he  first  and  clearest  case  of  just  war.  .  .  The  country  that  is 
attacked  and  others  may  join  in  the  defensive  war  in  order  to  repel,  and  perhaps  also  to 
punish,  an  unjust  attacker.”20  This  response  need  not  await  Security  Council 
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authorization,  though  states  must  apprise  the  Security  Council  of  the  exercise  of  the 
inherent  right  of  self-defense.  The  Council  may  then  take  “such  action  as  it  deems 
necessary  in  order  to  maintain  or  restore  international  peace  and  security.”21 

Springing  from  this  right  of  self-defense  is  the  very  narrow  category  of  pre¬ 
emptive  attack.  In  the  words  of  Walzer,  it  is  a  “right  recognized  ...  in  the  legalist 
paradigm  for  international  society.”  It  holds  “states  can  rightfully  defend  themselves 
against  violence  that  is  imminent  but  not  actual;  they  can  fire  the  first  shots  if  they  know 
themselves  about  to  be  attacked.”22  A  commonly  cited  example  of  the  application  of  this 
norm  is  Israel’s  attack  to  open  the  Six-Day  War  in  1967.23 

Secretary  of  State  Daniel  Webster  articulated  the  requirements  for  an  acceptable 
pre-emptive  attack  during  an  exchange  of  letters  with  British  authorities  concerning  the 
Caroline  Case  of  1 837.24  Secretary  Webster  asserted  the  requirement  “to  show  a 
necessity  of  self-defence  [sic],  instant,  overwhelming,  leaving  no  choice  of  means,  and 
no  moment  for  deliberation.”  Additionally,  the  pre-empting  attacker  must  do  “nothing 
unreasonable  or  excessive;  since  the  act  justified  by  the  necessity  of  self-defence  [sic], 
must  be  limited  by  that  necessity,  and  kept  clearly  within  it.”25  The  British  agreed  with 
Webster’s  assertions  and  they  have  become  customary  international  law. 

In  his  work,  Walzer  questions  whether  the  right  to  anticipatory  self-defense 
articulated  in  the  Caroline  rules  “has  any  substance  at  all.”26  As  he  puts  it,  the  right 
allows  one  “to  do  little  more  than  respond  to  an  attack  once  we  had  seen  it  coming  but 
before  we  felt  its  impact.  Pre-emption  on  this  view  is  like  a  reflex  action,  a  throwing  up  of 
one’s  arms  at  the  very  last  minute.”27  Walzer  does  not  see  this  as  a  useful  right  because 
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“[t]here  is  often  plenty  of  time  for  deliberation”  which  makes  ‘Webster’s  reflex’ 
unnecessary.28 

To  be  fair,  Walzer  is  not  specifically  addressing  cyber  actions  in  his  analysis. 
However,  whatever  the  relative  merits  of  “Webster’s  reflex”  are  in  the  conventional  war 
fighting  domains,  it  appears  exceptionally  appropriate  in  the  cyber  domain.  In  fact, 
Webster’s  175-year-old  formulation  provides  succinct,  well  established,  and  recognized 
international  law  authority  for  the  concept  of  active  defense  discussed  later. 

General  Application  of  International  Law  to  Cyberspace 

Having  laid  out  the  most  relevant  customary  norms  justifying  a  state’s  resort  to 
force,  it  is  appropriate  to  examine  the  general  applicability  of  these  norms  to  the  cyber 
domain.  The  International  Court  of  Justice  (ICJ)  has  stated  the  self-defense  provisions 
of  Article  51  of  the  Charter,  as  well  as  Security  Council  enforcement  measures  under 
Article  42,  “apply  to  any  use  of  force,  regardless  of  the  weapons  employed.”29  On  its 
face,  this  brings  cyber  actions  within  the  scope  of  the  Charter. 

Additionally,  it  is  U.S.  policy  to  apply  existing  international  norms  in  cyberspace. 
The  White  House’s  International  Strategy  for  Cyberspace  states,  “[Cjyberspace  does 
not  require  a  reinvention  of  customary  international  law,  nor  does  it  render  existing 
international  norms  obsolete.  Long-standing  international  norms  guiding  state 
behavior — in  times  of  peace  and  conflict — also  apply  in  cyberspace.”30 

While  the  overall  applicability  of  these  norms  is  certainly  not  in  doubt  from  a  U.S. 
perspective,31  how  to  apply  them  is  much  less  settled.  It  is  far  from  obvious  how  the 
standards  of  the  Caroline  case  and  the  U.N.  Charter,  formulated  before  the  widespread 
use  of  electricity  and  electronics,  respectively,  factually  apply  to  acts  in  the  cyber 

domain.  In  the  words  of  one  author,  “In  fact,  the  entire  field  of  international  cyber  law  is 
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still  murky.”32  This  uncertainty  provides  the  very  concerning  risk  of  miscalculation  this 
paper  seeks  to  address. 

The  Tallinn  Manual  and  Cyber  Warfare 

A  substantial  first  step  towards  lifting  some  of  this  fog  will  occur  in  2013  with  the 
forthcoming  publication  of  the  Tallinn  Manual  on  the  International  Law  Applicable  to 
Cyber  Warfare  [hereinafter  the  Tallinn  Manual].33  The  Tallinn  Manual  represents  an 
attempt  by  a  group  of  nineteen  international  experts  “to  produce  a  non-binding 
document  applying  existing  law  to  cyber  warfare.”34  The  experts  involved  adopted  the 
rules  of  the  Tallinn  Manual  by  “employing  the  principle  of  consensus.”35  While  the 
authors  admit  “any  claim  that  every  assertion  in  the  Tallinn  Manual  represents  an 
incontrovertible  restatement  of  international  law  would  be  an  exaggeration,”36  it  carries 
sufficient  persuasive  force  to  warrant  its  use. 

Indeed,  given  the  accepted  methods  of  determining  international  law  on  a 
particular  subject,  the  Tallinn  Manual  may  be  the  only  available  cyber  warfare  source  for 
the  near  future.  Article  38  of  the  Statute  of  the  ICJ  details  the  generally  accepted 
sources  of  international  law.  These  include  international  conventions,  international 
custom,  general  principles  of  law,  as  well  as  the  subsidiary  means  of  “judicial  decisions 
and  the  teachings  of  the  most  highly  qualified  publicists  of  the  various  nations.”37 

Applying  these  sources  to  cyber  warfare,  one  quickly  exhausts  the  list.  There 
currently  are  no  applicable  international  conventions  or  treaties.38  Cyber  warfare  is  a 
relatively  new  state  capacity  and  customs  emerge  slowly  (over  decades,  not  years). 
General  principles  of  law  may  be  timeless,  but  they  still  require  expert  application.  There 
are  not  yet  any  international  judicial  decisions  on  the  topic.  This  leaves  only  the 
subsidiary  means  of  highly  qualified  publicists  as  a  currently  available  source. 
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Consequently,  the  Rules  and  Commentary  of  the  Tallinn  Manual  may  be  the  best 
available  lens  through  which  to  view  the  application  of  current  international  norms  to  the 
cyber  domain. 

As  an  initial  matter,  it  is  important  to  understand  the  general  nature  of  the 
international  legal  environment.  The  Lotus  case  provides  a  succinct  statement  of  the 
two  overarching  behavioral  norms  with  which  states  comply.  One  is  permissive,  while 
the  other  is  restrictive.  First,  “under  international  law  everything  which  is  not  prohibited 
is  permitted.”  Second,  “[F]ailing  the  existence  of  a  permissive  rule  to  the  contrary[,  a 
state]  may  not  exercise  its  power  in  any  form  in  the  territory  of  another.”39  The  U.N. 
Charter  harkens  to  these  norms  in  its  regulation  of  hostilities  between  states. 

As  previously  stated,  Article  2  prohibits  the  “threat  or  use  of  force,”  removing 
those  acts  from  the  spectrum  of  unregulated  state  behavior.  However,  absent  some 
other  prohibition,  actions  below  the  use  of  force  threshold  are  permissible  under 
international  law.  The  self-defense  clause  of  Article  51  is  a  permissive  rule  suspending 
the  previous  prohibition  in  response  to  an  “armed  attack.”  Consequently,  “use  of  force” 
describes  what  a  state  must  refrain  from  doing  until  an  “armed  attack”  occurs.  Defining 
these  two  terms  for  the  cyber  domain  is  essential  for  avoiding  state  miscalculations. 

In  its  Rule  1 1 ,  the  Tallinn  Manual  defines  a  cyber  operation  as  “a  use  of  force 
when  its  scale  and  effects  are  comparable  to  non-cyber  operations  rising  to  the  level  of 
a  use  of  force.”40  On  its  face,  this  is  not  a  very  satisfying  definition,  as  it  uses  the  term 
“use  of  force”  to  define  a  cyber  use  of  force.  This  would  be  less  troubling  if  non-cyber 
“use  of  force”  was  well  defined.  Unfortunately,  it  is  not.  The  Tallinn  Manual 
acknowledges,  “There  is  no  authoritative  definition  of,  or  criteria  for .  .  .  ‘use  of  force.’”41 
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Despite  this  shortcoming,  the  definition  is  not  a  nullity.  It  at  least  informs  us  the 
rules  for  the  use  of  force  in  the  cyber  domain  are  no  different  from  that  of  any  other 
domain.  Additionally,  the  term  “scale  and  effects”  carries  some  meaning.  It  appears  in 
the  ICJ’s  decision  in  the  Nicaragua  case.  In  this  case,  the  ICJ  held  an  act  done  by  a 
proxy  might  constitute  an  armed  attack  by  the  sending  state  if  its  “scale  and  effects” 
would  classify  it  as  an  armed  attack  if  done  by  a  state’s  regular  armed  forces.42 

It  is  important  to  note  the  ICJ  was  addressing  “armed  attack,”  not  “use  of  force.” 
The  drafters  of  the  Tallinn  Manual  forthrightly  acknowledge  their  intentional  expansion 
of  the  term’s  application.  They  state,  “The  Experts  found  the  focus  on  scale  and  effects 
to  be  an  equally  useful  approach  when  distinguishing  acts  that  qualify  as  uses  of  force 
from  those  that  do  not.”43 

This  equality  of  approaches,  however,  does  not  make  “armed  attack”  and  “use  of 
force”  terms  that  possess  a  distinction  without  a  difference.44  The  ICJ  makes  this  clear 
when  it  states,  “[l]t  will  be  necessary  to  distinguish  the  most  grave  forms  of  the  use  of 
force  (those  constituting  an  armed  attack)  from  other  less  grave  forms.”45  In  other  words, 
all  armed  attacks  are  a  use  of  force,  but  not  all  uses  of  force  rise  to  the  level  of  an 
armed  attack.  This  is  significant,  as  only  an  armed  attack  triggers  the  right  to  self- 
defense  under  Article  51  of  the  U.N.  Charter. 

The  drafters  of  the  Tallinn  Manual  were  unanimous  in  their  determination  “some 
cyber  operations  may  be  sufficiently  grave  to  warrant  classifying  them  as  an  ‘armed 
attack.’”46  In  defining  “armed  attack,”  the  Tallinn  Manual  again  calls  upon  the  “scale  and 
effects”  language.  Rule  13  states,  “Whether  a  cyber  operation  constitutes  an  armed 
attack  depends  upon  its  scale  and  effects.”47 
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If  one  uses  the  same  “scales  and  effects”  analysis  for  determining  both  “use  of 
force”  and  “armed  attack,”  it  is  worthwhile  to  define  the  threshold  at  which  a  use  of  force 
transitions  into  an  armed  attack.  The  Tallinn  Manual  characterizes  this  point  as 
“unsettled”  and  “unclear.”48  Unfortunately,  the  Tallinn  Manual  provides  little  additional 
clarity  and  may  actually  confuse  this  issue  further. 

In  discussing  the  armed  attack  threshold,  the  Tallinn  Manual  holds  “some  cases 
are  clear.”49  The  drafters  “agreed  that  any  use  of  force  that  that  injures  or  kills  persons 
or  damages  or  destroys  property  would  satisfy  the  scale  and  effects  requirement.”50  This 
seems  to  set  a  bright  line  rule.  However,  in  the  next  comment,  the  Tallinn  Manual 
removes  this  apparent  clarity  by  stating,  “[T]he  law  is  unclear  as  to  the  precise  point  at 
which  the  extent  of  death,  injury,  damage,  destruction,  or  suffering  caused  by  a  cyber 
operation  fails  to  qualify  as  an  armed  attack.”51  It  is  difficult  to  discern  how  death,  injury, 
damage,  and  destruction  can  be  both  a  clear  case  of  armed  attack  in  some  instances, 
yet  fail  to  qualify  as  an  armed  attack  in  others. 

Beyond  this  one  instance  of  confusion,  the  Tallinn  Manual’s  inability  to  provide 
bright-line  rules  is  understandable.  After  all,  states  have  wrestled  with  the  application  of 
these  terms  to  non-cyber  activities  for  well  over  half  a  century  and  precise  definitions 
are  still  elusive.  Rather  than  fault  the  Tallinn  Manual  for  failing  to  provide  what  may  be 
impossible  to  provide,  it  is  better  to  focus  on  what  it  does  provide.  It  presents  a 
compelling  list  of  factors  states  “are  likely  to  consider .  .  .  when  deciding  to  characterize 
any  operation,  including  a  cyber  operation,  as  a  use  of  force”52  and,  by  extension,  a 
possible  armed  attack. 
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Factors  for  Assessing  Use  of  Force  in  Cyberspace 

The  primary  factors  laid  out  by  the  Tallinn  Manual  are  severity,  immediacy, 
directness,  invasiveness,  measurability  of  effects,  military  character,  state  involvement, 
and  presumptive  legality.53  This  is  admittedly  a  non-exhaustive  list.54  Nonetheless,  it 
provides  a  useful  framework  for  analysis.  A  brief  explanation  of  each  primary  factor  is  a 
necessary  precursor  for  future  application.  It  is  helpful  to  categorize  these  factors  under 
the  headings  of  who,  what,  where,  when,  and  how. 

Both  state  involvement  and  military  character  address  the  question  of  “who.”  For 
state  involvement,  “The  clearer  and  closer  a  nexus  between  a  State  and  cyber 
operations,  the  more  likely”  other  states  will  see  it  as  a  use  of  force  by  the  originating 
state.55  Military  character  raises  the  question  of  “whom”  both  in  terms  of  the  originator 
and  the  target.  If  either  are  military  forces,  it  “heightens  the  likelihood  of  characterization 
as  a  use  of  force.”56 

The  first  aspect  of  the  question  of  “what”  is  perhaps  the  most  obvious.  What 
actually  happened  because  of  the  cyber  operation?  The  concept  of  severity  addresses 
this  question  and  holds  the  distinction  of  being  “[s]elf-evidently  the  most  significant 
factor  in  the  analysis.”  Unless  de  minimis,  any  act  “involving  physical  harm  to  individuals 
or  property”  will  likely  qualify  as  a  use  of  force.57  The  question  of  “what”  is  also 
applicable  to  an  analysis  of  presumptive  legality.  What  kind  of  operation  was  it?  Recall 
that  absent  a  prohibition,  acts  in  the  international  realm  are  presumptively  legal.  This 
includes  such  negative  actions  as  “propaganda,  psychological  operations,  espionage,  or 
mere  economic  pressure,”  all  of  which  are  less  likely  rise  to  the  level  of  a  use  of  force.58 

The  question  of  “where”  seems  to  be  a  strange  fit  in  a  domain  with  no  physical 

boundaries.  However,  it  does  matter  where  in  cyberspace  the  attack  occurs  and  where 
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the  physical  effects  occur.  The  concept  of  invasiveness  covers  this  question.  “As  a  rule, 
the  more  secure  a  targeted  cyber  system,  the  greater  the  concern  as  to  its 
penetration.”59  Operations  against  a  highly  classified  military  network  are  much  more 
likely  a  use  of  force  than  those  targeting  commercial  websites.  Additionally,  if  the  effects 
“are  limited  to  a  particular  State,”  it  increases  the  perceived  invasiveness  of  those 
operations.”60  If  either  of  these  conditions  are  true,  it  raises  the  likelihood  a  cyber  action 
constitutes  a  use  of  force. 

The  temporal  question  of  “when”  addresses  the  factor  of  immediacy.  Immediacy 
holds  that  states  are  more  likely  to  categorize  “a  cyber  operation  that  produces 
immediate  results  as  a  use  of  force.”  This  is  due  to  the  decreased  window  of  opportunity 
to  “seek  a  peaceful  accommodation”  or  prevent  the  “harmful  effects.”  Attacks  that  “take 
weeks  or  months  to  achieve  their  intended  effects”  are  less  likely  in  the  use  of  force 
category.61 

While  immediacy  addresses  the  timing  of  causation,  “directness  examines  the 
chain  of  causation.”62  This  is  a  question  of  “how”  the  cyber  operation  causes  the  effect. 
The  more  directly  linked  the  cause  and  effect,  the  more  likely  the  cyber  action  is  a  use 
of  force.63  The  second  aspect  of  the  “how”  question  addresses  measurability,  as  in  “How 
bad  was  it?”  It  is  easier  “to  characterize  actions  as  a  use  of  force  when  the 
consequences  are  apparent.”  Having  “quantifiable  and  identifiable”  consequences,  such 
as  “amount  of  data  corrupted,  percentage  of  servers  disabled,  number  of  confidential 
files  extracted,”  makes  it  more  likely  the  operation  will  appear  to  be  a  use  of  force.64 

Applying  the  Factors 

Having  laid  out  the  assessment  factors  proposed  by  the  Tallinn  Manual,  it  is 

illuminating  to  test  their  utility  by  applying  them  to  actual  cyber  events.  This  paper  uses 
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two  case  studies.  The  first  is  the  2007  wave  of  cyber  attacks  aimed  at  Estonia  and  the 
second  is  the  Stuxnet  malware  attack  in  Iran  made  public  in  2010. 

Estonia  -  The  Cyberwar  That  Wasn’t 

On  27  April  2007,  a  wave  of  distributed  denial  of  service  attacks65  hit  various 
websites  in  Estonia.  Affected  sites  included  those  of  “the  president,  parliament, 
ministries,  political  parties,  major  news  outlets,  and  Estonia’s  two  dominant  banks.”66 
The  apparent  precipitation  of  the  attacks  was  the  “decision  to  move  a  Soviet-era  war 
memorial.”67  Some  attacked  sites  were  “defaced  to  redirect  users  to  images  of  Soviet 
soldiers.”68  The  attacks  occurred  during  a  time  of  protest  riots  by  ethnic  Russian 
Estonians.69  The  attacks  continued  for  over  a  month  and,  at  times,  included  up  to 
100,000  networked  machines  bombarding  the  targeted  sites.70 

The  Estonian  response  was  to  circle  the  wagons  to  fend  off  the  attacks  by 
closing  down  external  server  access,  while  attempting  to  continue  to  allow  access  by 
Estonian  users.  The  head  of  information  technology  at  the  Estonian  defense  ministry 
stated  the  country  was  very  dependent  upon  the  internet  due  to  the  country’s  “paperless 
government”  and  web-based  banking.  In  his  words,  “If  these  services  are  made  slower, 
we  of  course  lose  economically.”71 

At  the  time,  Estonia  believed  the  Russian  government  was  behind  the  attacks,72 
partially  because  the  list  of  alleged  offenders  includes  internet  addresses  “in  the 
Russian  government  and  presidential  administration.”73  A  Kremlin  spokesman 
characterized  the  allegations  as  “completely  untrue”74  and  stated  an  internet  address 
“does  not  mean  foreign  governments  are  behind  these  attacks.  Moreover,  as  you 
probably  know,  IP  addresses  can  be  fake.”75 
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Concurrently,  one  Russian  internet  pioneer  indicated  there  was  “no  reason  to 
believe  in  Russian  state  involvement”  beyond  that  of  “Russian  state  propaganda” 
fuelling  “anti-Estonian  sentiments.”76  A  member  of  “a  pro-Kremlin  youth  group”  stated 
“he  personally  took  part  in  cyber-attacks  .  .  .  [although]  he  denied  that  Moscow  state 
offices  were  used.77  Eventually,  a  20-year-old  ethnic  Russian  Estonian  student  was  the 
first  convicted  and  fined  for  participation  in  the  attack.  Prosecutors  claimed  the  attack 
was  an  act  of  protest.78 

One  commentator  characterized  this  incident  as  “more  a  cyber-riot  than  a  war.”79 
The  below  application  of  the  Tallinn  Manual’s  assessment  factors  supports  this  view. 
Very  few  of  the  factors,  if  any,  weigh  in  favor  of  considering  this  incident  a  use  of  force, 
much  less  an  armed  attack. 

Applying  the  questions  of  “who”  to  this  case  illustrates  what  one  commentator 
has  deemed  the  “single  greatest  challenge  to  the  application  of  the  law  of  armed  conflict 
to  cyber  activity”80  -  that  of  attribution.  As  the  Kremlin  spokesman  pointed  out  above, 
even  the  use  of  government  originating  addresses  does  not  necessarily  mean  state 
involvement.  Despite  initial  concerns,  the  eventual  conviction  in  this  case  indicates  state 
involvement  was  not  a  factor.  Likewise,  the  attack  also  lacked  a  military  character. 

There  was  no  specific  targeting  of  Estonian  military  capabilities,  nor  was  there  any 
indication  of  Russian  military  involvement  in  the  attacks. 

Answers  to  the  questions  of  “what”  also  weigh  against  considering  this  a  use  of 
force.  Despite  the  massive  inconvenience,  the  attacks  do  not  appear  to  have  caused 
any  physical  harm  or  damage.  The  attacks  lacked  the  severity  necessary  to  cross  the 
threshold  of  a  use  of  force.  Additionally,  while  the  eventual  conviction  clearly  indicates 
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a  violation  of  Estonian  domestic  law  occurred,  it  is  unclear  the  attacks  violated  any 
international  legal  norms.  Even  if  Russia’s  spread  of  propaganda  fueled  the  attacks, 
such  spreading  of  propaganda  is  a  presumptively  legal  act  in  the  international  context. 

The  question  of  “where”  harkens  to  the  invasiveness  of  the  attack.  While  it  is  true 
the  attacks  were  largely  limited  to  Estonian  sites,  indicating  a  state-defined  target  set, 
they  did  not  appear  to  target  classified  or  secure  networks.  Even  the  governmental  sites 
attacked  were  informational  sites  generally  open  to  the  public.  No  specialized  access 
was  necessary  to  reach  these  networks.  Doors  that  are  open  to  the  public  carry  the  risk 
of  admitting  unhappy  members  of  that  public. 

The  effects  of  the  attack  also  lacked  the  immediacy  that  would  support 
characterizing  the  attack  as  a  use  of  force.  Examining  the  question  of  “when”  makes  it 
apparent  Estonia  had  time  to  react  and  mitigate  the  effects  of  the  attacks.  During  the 
month-long  duration  of  the  attacks,  Estonia  had  time  to  lodge  protests  and  take  the 
protective  measure  of  closing  its  sites  to  requests  originating  outside  of  Estonia. 

The  use  of  force  analysis  for  the  attacks  also  fails  on  the  question  of  “how.” 
Although  Estonia  perhaps  did  “lose  economically,”  the  attacks  lacked  directness.  The 
attacks  did  not  actually  destroy  financial  records  or  economic  capacity.  Instead,  they 
simply  made  regular  financial  transactions  more  difficult.  It  is  also  difficult  to  assign  a 
monetary  figure  to  this  loss  of  convenience.  This  causes  the  attacks  also  to  fail  in  the 
measurability  analysis. 

The  above  analysis  of  the  2007  cyber  attacks  on  Estonia  using  the  factors 
proposed  by  the  Tallinn  Manual  indicate  any  characterization  of  these  attacks  as  cyber 
“warfare”  is  overblown.  The  attacks  and  their  effects  fail  in  nearly  every  instance  to 


14 


demonstrate  the  proposed  characteristics  of  a  use  of  force.  Interestingly,  however,  the 
primary  author  of  the  Tallinn  Manual’s  factors  appears  to  reach  a  different  conclusion.  In 
his  analysis,  “Taken  together  as  a  single  ‘cyber  operation,’  the  incident  arguably 
reached  the  use-of-force  threshold.”81 

This  difference  of  opinion  does  not  invalidate  the  analytic  approach,  but  it  does 
highlight  the  subjective  and  often  uncertain  nature  of  its  outcome.  In  many  cases, 
reasonable  people  may  reach  differing  conclusions.  The  2010  Stuxnet  malware  attack 
in  Iran,  however,  is  a  much  clearer  case. 

Iran  -  A  Likely  Cyberwar  Salvo 

In  late  2009  or  early  2010,  Iran  replaced  approximately  1 ,000  of  the  centrifuges 
at  its  primary  nuclear  enrichment  facility  at  Natanz,  “implying  that  these  centrifuges 
broke.”82  About  that  same  time,  however,  a  sophisticated  piece  of  computer  malware 
appeared  “loose  on  the  Internet”83  and  drew  the  attention  of  computer  security  experts. 
They  christened  the  malware  “Stuxnet.”84  In  November  of  2010,  Iranian  President 
Ahmadinejad  confirmed  the  cause  of  Iran’s  centrifuge  problems  was  some  type  of  cyber 
attack.  In  his  words,  someone  “succeeded  in  creating  problems  for  a  limited  number  of 
our  centrifuges  with  the  software  they  had  installed  in  electronic  parts.”85 

The  Symantec  computer  security  company  characterizes  Stuxnet  as  “a  large, 
complex  piece  of  malware  .  .  .  primarily  written  to  target  an  industrial  control  system 
[ICS]  or  set  of  similar  systems.”86  It  does  so  by  modifying  the  ICS’s  “programmable  logic 
controllers  (PLCs)  to  make  them  work  in  a  manner  the  attacker  intended  and  to  hide 
those  changes  from  the  operator  of  the  equipment.”87  The  malware  is  very  precise  in  its 
targeting. 
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Stuxnet  “covertly  changes  the  frequencies  of  certain  types  of  frequency 
converters,  which  control  the  speed  of  motors.”  Its  intended  targets  are  components 
associated  with  Iran’s  centrifuges.88  Stuxnet  ultimately  causes  the  centrifuges  to  rotate 
out  of  their  designed  tolerances.  Such  rotations  “could  destroy  large  numbers  of 
centrifuges.”89  As  early  as  2008,  the  malware  was  apparently  active  at  Natanz  and 
causing  centrifuges  to  spin  “at  faster-than-normal  speeds  until  sensitive  components 
began  to  warp  and  break.”90  A  third  version  of  Stuxnet,  implemented  shortly  after  the 
outside  detection  of  the  malware,  caused  the  destruction  of  the  1 ,000  centrifuges.91 

The  computer  security  community  did  eventually  determine  the  software’s 
functioning  and  specific  targeting  of  Iranian  enrichment  processes.92  However,  it  “came 
to  no  conclusions  about  who  was  responsible,”93  even  after  Symantec  reported  the 
location  of  two  “command  and  control  servers”  in  Malaysia  and  Denmark.94  Symantec 
did  note,  however,  “Stuxnet  is  of  such  great  complexity — requiring  significant  resources 
to  develop — that  few  attackers  will  be  capable  of  producing  a  similar  threat.”95 

Although  no  government  has  openly  acknowledged  responsibility,  subsequent 
news  reporting  based  upon  “leaks”  in  the  U.S.  government  provides  a  possibility. 
According  to  news  reports,  the  U.S.  National  Security  Agency  (NSA)  developed  the 
malware  with  the  help  of  Israel  as  part  of  a  classified  effort  code-named  Olympic 
Games.96  The  operation  “was  geared  toward  damaging  Iran’s  nuclear  capability 
gradually  while  sowing  confusion  among  Iranian  scientists  about  the  cause  of  mishaps 
at  a  nuclear  plant.”97  The  U.S.  Central  Intelligence  Agency  (CIA)  and  Israelis  handled 
the  problem  of  getting  the  software  into  the  system.  Because  the  plant’s  equipment  was 


16 


not  attached  to  the  internet,  emplacing  the  software  “depended  on  spies  and  unwitting 
accomplices”  to  connect  an  infected  device  to  the  system.98 

The  spread  of  the  malware  outside  the  Natanz  system  may  have  been  the  result 
of  a  coding  error.  However,  as  a  testament  to  the  targeting  specificity  of  the  malware, 
there  was  no  damage  resulting  from  the  more  than  100,000  computers  unintentionally 
infected  outside  the  plant.99  The  effects  inside  the  Natanz  facility,  however,  were 
significant.  As  one  reporter  noted,  “Stuxnet  appears  to  be  the  first  time  the  United 
States  has  repeatedly  used  cyberweapons  to  cripple  another  country’s  infrastructure, 
achieving,  with  computer  code,  what  until  then  could  be  accomplished  only  by  bombing 
a  country  or  sending  in  agents  to  plant  explosives.”100 

Based  upon  the  above  facts,  one  cyber-expert  opined,  “Effectively  the  United 
States  has  gone  to  war  with  Iran  and  has  chosen  to  do  so  in  this  manner  because  the 
effects  can  justify  this  means.”101  Could  Iran  consider  this  effort  by  the  U.S.  and  Israel  to 
be  an  armed  attack  justifying  the  use  of  force  in  self-defense?  An  application  of  the 
assessment  factors  proposed  by  the  Tallinn  Manual  indicates  such  a  conclusion  is  not 
only  possible,  but  almost  a  certainty. 

Both  the  state  involvement  and  military  character  aspects  of  the  question  of 
“who”  in  this  case  point  towards  the  legitimacy  of  considering  this  an  armed  attack.  Poor 
U.S.  security  in  leaking  the  potential  identity  of  the  malware’s  originator  may  have 
solved  the  technical  attribution  problem.  The  importance  of  this  cannot  be  overstated. 
Given  the  primacy  of  state  action  under  international  law,  one  frequent  expert 
commentator  was  certainly  correct  when  he  noted,  “the  identity  of  the  attacker  may  well 
determine  if  a  state  of  war  exists.”102  If  other  states  assume  the  accuracy  of  public  news 
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stories  not  disavowed  by  the  governments  concerned,  the  creation  and  insertion  of  the 
malware  were  acts  of  state  involvement  by  the  U.S.  and  Israel. 

The  “who”  issue  of  the  military  character  of  the  attack  is  a  slightly  closer  question. 
The  U.S.  agencies  allegedly  involved  were  the  NSA  and  CIA.  These  are  not  technically 
military  organizations.  However,  the  CIA  does  sometimes  go  beyond  strict  espionage  by 
taking  a  more  direct  role  in  hostilities.  For  example,  a  CIA-led  military  operation  was 
largely  responsible  for  the  destruction  of  the  Taliban  regime  in  Afghanistan.103  Given 
this,  it  is  likely  other  nations  would  consider  the  CIA  at  least  a  paramilitary  arm  of  the 
U.S. 

The  target  was  also  of  a  quasi-military  character.  Iran  claims  its  uranium 
enrichment  efforts  are  for  peaceful  purposes.  However,  the  international  community 
believes  its  true  aim  to  be  military  -  the  development  of  nuclear  weapons.  A  weapons- 
development  program  is  more  military  than  civil  in  nature.  While  it  is  not  an  unequivocal 
determination,  the  facts  of  this  case  weigh  in  favor  of  answering  “yes”  to  whether  the 
attack’s  origin  and  target  possess  a  military  character. 

The  answers  to  the  questions  of  “what”  are  clearer  determinations.  When 
examining  severity,  acts  causing  physical  harm  cross  the  threshold  as  a  use  of  force. 
Physical  harm  includes  harm  to  property.  The  destruction  of  the  centrifuges  to 
necessitate  their  replacement  meets  this  requirement.  The  attack  also  fails  to  qualify  as 
an  act  of  presumptive  legality.  Had  the  “spies  and  unwitting  accomplices”  only  inserted 
information-gathering  tools,  this  would  have  been  an  act  of  simple  espionage  presumed 
legal  under  international  law.  However,  the  aim  was  to  produce  destructive  results  akin 
to  bombing  or  planting  explosives.  This  nullifies  any  presumptive  legality  argument. 
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Turning  to  the  question  of  “where,”  it  is  clear  the  attack  was  highly  invasive. 

Given  its  nature,  the  Natanz  facility  is  likely  one  of  Iran’s  most  secure  facilities.  The  lack 
of  connectivity  between  its  systems  and  the  internet  supports  this  assessment. 
Additionally,  the  malware  was  highly  engineered  to  target  only  specific  components  at 
this  specific  plant.  Even  when  it  unintentionally  spread  outside  the  plant,  it  had  no  real 
effects.  The  highly  secure  nature  of  the  plant  and  the  extreme  specificity  of  the  targeting 
both  place  the  attack  at  the  high  end  of  the  invasiveness  scale. 

The  aspect  of  immediacy  associated  with  the  question  of  “when”  is  more 
complex.  The  first  version  of  the  malware  apparently  ran  for  months  without  causing 
alarm.  The  program,  as  designed,  obscured  the  nature  of  the  centrifuge  failures  in  an 
attempt  to  damage  Iran’s  capability  gradually.  This  approach  lacked  immediacy. 

Despite  this  lack  of  immediacy,  however,  the  malware  eventually  gained  outside 
notice.  Perhaps  fearful  the  Iranians  would  piece  things  together  and  close  the  window  of 
opportunity,  the  attackers  introduced  a  newer  variant  that  caused  the  abrupt  destruction 
of  1 ,000  centrifuges.  This  newer  variant  possessed  the  immediacy  the  original  version 
lacked.  Its  entire  purpose  was  to  cause  its  effects  before  the  Iranians  could  react  to 
mitigate  the  harm. 

Turning  to  the  final  question  of  “how,”  the  attack  appears  to  have  both  the 
requisite  characteristics  of  directness  and  measurability.  It  is  clear  the  malware’s 
manipulation  of  the  frequency  controllers  initiated  the  short  chain  of  causation  that  led  to 
the  centrifuge  failures.  The  1 ,000  simultaneous  failures  are  otherwise  difficult  to  explain. 
Those  same  1 ,000  failures  are  a  distinctly  measureable  result  one  can  attribute  to  the 
attack. 
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Given  the  above  analysis,  the  consideration  by  “many  experts”  of  Stuxnet  as  “the 
first  cyber  weapon  in  history”  appears  valid.104  To  call  it  a  “State  sponsored  attack” 
aimed  at  “the  critical  infrastructures  of  a  foreign  country  with  the  specific  intent  to 
destroy  them” 105  is  not  an  exaggeration.  The  operation  possesses  all  of  the 
characteristics  suggested  by  the  Tallinn  Manual  as  indicators  of  a  use  of  force,  if  not  an 
armed  attack,  under  international  law.  Although  Iran  cannot  currently  speak  from  a 
position  of  moral  authority  regarding  international  norms,  it  would  appear  justified  in 
raising  a  complaint  regarding  this  incident. 

Recommendations  for  Increasing  Cyberspace  Clarity 

The  two  above  case  studies  fall  in  at  the  opposing  ends  of  the  spectrum  of 
analysis  using  the  assessment  factors  proposed  by  the  Tallinn  Manual.  The  cyber 
attack  on  Estonia  arguably  possesses  practically  none  of  the  characteristics  of  a  use  of 
force,  while  the  attack  on  Iran  demonstrates  nearly  all  of  them.  It  is  fair  to  surmise  future 
incidents  will  likely  fall  somewhere  between  these  two  extremes. 

Applying  a  balancing  test  will  be  necessary  in  instances  where  some  factors 
support  the  characterization  of  a  use  of  force,  while  others  mitigate  against  it.  There  is 
always  a  level  of  ambiguity  associated  with  such  analysis.  Because  the  outcome  of  the 
analysis  may  provide  justification  under  international  law  to  go  to  war,  it  is  in  the  interest 
of  states  to  remove  as  much  ambiguity  as  possible.  The  U.S.  can  lead  this  effort  by 
taking  a  number  of  actions,  both  in  the  offensive  and  defensive  contexts. 

On  the  Offense 

First,  in  the  offense,  the  U.S.  should  demonstrate  “secrecy”  and  “cyber”  are  not 
synonymous  when  it  comes  to  state  involvement.  The  U.S.  does  not  have  a  history  of 
launching  surprise  attacks  and  has  an  aversion  to  doing  so.  It  was  Robert  Kennedy’s 
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likening  a  surprise  invasion  of  Cuba  to  Pearl  Harbor  that  “discredited]  the  hawks”  and 
enabled  the  “more  prudent  approach”  of  a  naval  quarantine  during  the  Cuban  Missile 
Crisis.106  In  this  same  vein,  a  non-attributable  “cyber  sneak  attack”  with  widespread 
effects  against  another  state  appears  distinctly  un-American. 

However,  the  U.S.  may  enjoy  a  significant  technological  advantage  in  the  cyber 
domain  that  it  has  every  right  to  exploit.  The  U.S.  may  choose  to  use  cyber  methods  in 
self-defense  or  as  an  offensive  use  of  force  during  already  ongoing  hostilities.  When  it 
does  so,  it  should  not  attempt  to  mask  the  origin  of  these  cyber  actions  and  should  take 
responsibility  for  them. 

All  U.S.  weapons,  to  include  cyber  weapons,  undergo  two  legal  reviews.  As  an 
initial  matter,  an  examination  ensures  the  weapon  is  not  per  se  contrary  to  international 
legal  norms  before  it  even  enters  the  U.S.  weapons  inventory.107  Afterwards,  any 
significant  employment  of  the  system  undergoes  another  review  to  determine  whether 
the  intended  use  also  complies  with  international  law.108  This  prevents  the  use  of 
otherwise  legal  weapons  in  illegal  ways. 

Cyber  weapons  undergo  this  same  legal  analysis.109  If  they  pass,  there  is  no 
reason  to  mask  their  use.  The  U.S.  should  be  as  hesitant  to  do  so  as  it  would  be  to  send 
its  regular  forces  into  combat  lacking  the  “fixed  distinctive  emblem  recognizable  at  a 
distance”110  embodied  in  their  uniforms.  Failure  to  take  ownership  of  cyber  attacks  risks 
the  target  state  responding  too  broadly  and  drawing  others  into  the  conflict.  Additionally, 
if  there  is  a  question  of  the  appropriateness  of  a  cyber  action,  acknowledgement  of  that 
action  allows  target  states  recourse  to  international  bodies  that  settle  such  disputes. 
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This  allows  the  building  of  a  body  of  law  and  state  practice  that  clarifies  what  is 
appropriate. 

This  recommendation  holds  well  for  openly  conducted  conflicts.  The  Iran  attack 
demonstrates,  however,  that  states  sometimes  determine  their  interests  require 
surreptitious  actions.  It  would  be  Pollyannaish  to  assume  this  never  happens  or  that  one 
can  prevent  it  from  happening.  In  such  cases,  state  involvement  is  still  a  significant 
issue.  Should  the  non-attribution  fail,  the  target  state  may  have  a  legitimate  recourse  to 
open  warfare.  The  gravity  of  this  outcome  makes  the  protection  of  that  anonymity  highly 
important.  Consequently,  the  U.S.  should  actively  investigate  and  prosecute  “leaks”  of 
the  type  that  revealed  the  Olympic  Games  operation  to  the  world.  The  release  of  such 
highly  classified  information  is  a  crime  and  the  potential  for  harm  is  enormous. 

Second,  in  the  offense,  the  U.S.  should  take  care  not  to  overly  militarize  its  cyber 
capabilities.  Doing  so  may  inadvertently  give  a  military  character  to  actions  that  would 
otherwise  enjoy  presumptive  legality  as  espionage.  For  example,  a  single  U.S.  General 
heads  both  the  U.S.  Cyber  Command  (USCYBERCOM)  and  the  NSA.  The 
organizations  are  even  co-located.  According  to  U.S.  policy,  this  allows  “these  separate 
and  distinct  organizations  ...  to  maximize  talent  and  capabilities,  leverage  respective 
authorities,  and  operate  more  effectively  to  achieve  DoD’s  mission.”111  The 
separateness  and  distinctness  of  these  organizations  matters. 

USCYBERCOM,  when  directed,  conducts  “full  spectrum  military  cyberspace 
operations  in  order  to  enable  actions  in  all  domains,  ensure  US/Allied  freedom  of  action 
in  cyberspace  and  deny  the  same  to  our  adversaries.”112  As  part  of  its  Signals 
Intelligence  (SIGINT)  mission,  the  NSA,  “collects,  processes,  and  disseminates 
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intelligence  information  from  foreign  signals  for  intelligence  and  counterintelligence 
purposes  and  to  support  military  operations.”113  These  missions  carry  an  important 
distinction. 

Target  states  will  view  any  cyber  attack  or  defense  action  under  USCYBERCOM 
authority  as  having  a  clear  military  character.  However,  NSA’s  SIGINT  mission  falls 
squarely  into  a  category  most  would  consider  traditional  espionage.  This  categorization 
is  important  given  the  customary  international  norm  that  information-gathering 
espionage  efforts  do  not  amount  to  a  use  of  force. 

It  is  no  doubt  organizationally  beneficial  that  USCYBERCOM  “is  charged  with 
pulling  together  existing  cyberspace  resources.”114  However,  the  U.S.  should  take  care 
not  to  blur  functional  lines  too  greatly.  By  doing  so,  it  may  inadvertently  forfeit  the  useful 
protection  of  presumptive  legality  its  cyber  espionage  efforts  currently  enjoy. 

For  example,  consider  the  insertion  of  surreptitious  information-gathering 
software  into  a  sensitive  foreign  military  system.  Most  would  immediately  characterize 
such  an  action  by  the  NSA  as  simple  espionage,  and  not  necessarily  a  prelude  to 
further  escalation.  These  are  extremely  useful  actions  the  U.S.  can  routinely  undertake 
without  risking  recourse  to  war.  This  is  true  even  when  the  information  gathered  may  be 
of  tremendous  military  value.  However,  it  may  give  the  recipient  state  greater  concern  to 
learn  the  perpetrator  was  the  military’s  USCYBERCOM.  This  raises  the  question  of 
whether  the  intrusion  is  part  of  a  larger,  perhaps  more  imminent,  military  effort. 

The  more  closely  these  organizations  align,  the  more  difficult  it  is  for  states  to 
draw  this  distinction.  Should  the  distinction  disappear  in  the  reasoning  of  other  states, 
the  U.S.  may  have  to  self-limit  its  espionage  for  fear  of  others  viewing  it  as  an 
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escalatory  military  action.  This  would  result  in  a  case  where  increased  organizational 
efficiency  actually  led  to  decreased  operational  effectiveness. 

On  the  Defense 

The  above  recommendations  pertain  primarily  to  U.S.  actions  on  the  offensive 
end  of  the  spectrum.  The  U.S.  can  also  lessen  ambiguities  on  the  defensive  end.  Clear 
declarations  concerning  invasiveness  can  put  opposing  states  on  notice  concerning 
what  incursions  the  U.S.  will  treat  as  possible  armed  attacks. 

One  author  calls  cyberspace  “the  latest  domain  of  commerce  and  globalization  to 
emerge  as  a  global  common.”115  However,  the  entire  globe  is  not  a  commons.  States 
exercise  recognized  territorial  sovereignty  over  portions  of  the  land,  air,  and  sea 
domains.  There  is  no  reason  cyberspace  must  be  treated  as  outer  space,  without  any 
assertions  of  territorial  sovereignty.116  Human  beings  create  the  networks  and  nodes 
that  comprise  the  cyber  domain.  States  sometimes  go  to  great  lengths  to  maintain 
separation  between  certain  sensitive  networks  and  nodes  and  the  “open”  cyber 
commons.  When  they  do  so,  states  should  enjoy  the  equivalent  of  sovereign  rights  over 
that  portion  of  the  cyber  domain. 

This  is  more  than  just  an  academic  concept.  With  sovereignty  comes  a 
recognized  right  of  exclusion  and  defense.  There  is  no  expectation  that  a  state  stand 
idly  by  while  thousands  or  millions  of  unknowns  make  unwanted  and  uninvited  attempts 
to  cross  it  borders  in  the  air,  land,  or  sea  domains.  Attempts  in  these  numbers  occur 
daily  in  the  cyber  domain.117  In  traditional  domains,  states  might  view  the  vast  majority  of 
cases  as  criminal  acts  appropriate  for  handling  by  immigration  authorities.  However, 
some  attempts  might  occasionally  fit  the  profile  of  an  invasion,  which  would  trigger  the 

inherent  right  to  self-defense.  The  analysis  need  not  differ  much  for  the  cyber  domain. 
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As  a  first  defensive  step,  the  U.S  should  declare  its  most  critical  cyber  networks 
and  nodes  as  under  its  sovereign  protection  and  state  its  intention  to  exclude  all  others, 
just  as  it  would  from  its  physical  territory.  It  has  already  done  so,  in  effect,  by  its 
declaration  that  it  does  “reserve  the  right  to  defend  these  vital  national  assets  as 
necessary  and  appropriate.”118  Basing  this  right  upon  sovereignty  is  a  logical  step  into 
an  already-existing  legal  framework. 

This  acquisition  of  sovereignty  by  assertion  is  not  without  parallel  in  the  land 
domain.  “Acquisition  of  land  traditionally  was,  and  still  remains,  dependent  on  power 
processes,  often  backed  by  military  strength.  .  .  [T]he  rules  for  allocating  title  to  a 
particular  state  are  heavily  dependent  on  a  showing  of  physical  control.”119  In  other 
words,  the  power  to  keep  others  away  eventually  becomes  a  recognized  right  to  keep 
them  away. 

As  a  second  defensive  step,  the  U.S.  should  employ  active  cyber  defenses  in 
those  portions  of  the  cyber  domain  over  which  it  claims  sovereignty.  Active  defenses 
involve  detecting,  tracing,  and  performing  some  type  of  cyber  counter-attack  against  the 
intruder.120  This  can  occur  in  an  automated  mode  at  network  speed,  typically  after  the 
intruder  bypasses  passive  defenses. 

It  is  here  that  “Webster’s  reflex”  detailed  in  the  Caroline  rules  has  remarkable 
applicability  for  the  21st  century.121  After  breaching  passive  defenses,  damage  may 
occur  faster  than  humans  can  react,  making  an  electronic  reflexive  action  necessary  to 
prevent  harm.  The  U.S.  Department  of  Defense  has  already  declared  it  “will  employ  an 
active  cyber  defense  capability  to  prevent  intrusions  onto  DoD  networks  and 
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systems.”122  Such  measures  should  defend  all  critical  systems,  whether  DoD  or 
otherwise. 

Finally,  the  U.S.  should  commit  to  reporting  instances  in  which  its  active 
defenses  actually  deploy.  This  is  consistent  with  its  obligation  under  the  U.N  Charter  to 
inform  the  Security  Council  of  measures  taken  in  the  exercise  of  the  right  of  self- 
defense  in  response  to  an  armed  attack.123  Because  an  active  defense  mechanism 
typically  has  a  destructive  component,  it  is  likely  a  use  of  force.  Only  an  armed  attack 
justifies  a  use  of  force  in  response. 

Laying  out  the  circumstances  of  the  use  of  force  (though  certainly  not  its 
technical  means)  and  the  perception  of  the  armed  attack  that  precipitated  it  provides 
two  benefits.  First,  it  helps  deters  future  attacks,  as  effective  deterrence  requires  a 
certain  level  of  knowledge  and  common  understanding  about  the  possible  response. 
Drawing  on  the  work  of  Thomas  Schelling  in  Arms  and  Influence,124  one  commentator 
refers  to  this  as  having  “a  shared  idiom  of  action”  in  which  “countries  interpret  military 
actions  and  reprisals  similarly.”125  This  “shared  understanding  of  limits,  norms,  and 
expected  responses  creates  a  necessary  frame  of  reference  by  which  actors  distinguish 
between  proportionate  and  escalatory  behavior.”126 

Second,  it  also  helps  to  lessen  quickly  the  ambiguity  currently  surrounding  the 
application  of  international  law  to  the  cyber  domain.  It  is  difficult  to  clarify  this  legal 
regime  when  there  is  no  acknowledgement  or  discussion  of  current  state  practice.  Open 
information  allows  legal  commentators,  practitioners,  and  judicial  authorities  to  build  a 
body  of  accepted  international  law. 
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Conclusion 


To  summarize,  this  paper  first  detailed  the  international  legal  norms  currently 
governing  the  use  of  force  between  states.  The  key  components  of  the  regime  are  the 
overall  prohibition  against  the  use  of  force  and  the  exception  for  force  used  in  self- 
defense,  to  include  anticipatory  self-defense,  against  an  armed  attack.  It  then  examined 
the  factors  proposed  by  the  Tallinn  Manual  as  indicators  a  cyber  action  qualifies  as  a 
use  of  force.  These  factors  included  state  involvement  and  military  character  (who), 
severity  and  presumptive  legality  (what),  invasiveness  (where),  immediacy  (when),  and 
directness  and  measurability  of  effects  (how). 

Applying  these  factors  to  the  2007  cyber  attack  against  Estonia  indicated  the 
attacks  did  not  qualify  as  a  use  of  force  or  armed  attack.  The  application  to  the  2010 
Stuxnet  attack  against  Iran  reached  the  opposite  finding.  That  particular  cyber  action 
likely  did  qualify  as  an  armed  attack  under  the  proposed  Tallinn  Manual  analysis. 
Recognizing  a  vast  grey  area  exists  between  these  two  extremes,  the  paper 
recommended  several  steps  the  U.S.  could  take  to  reduce  dangerous  ambiguities  and 
lessen  the  risk  of  state  miscalculation. 

First,  the  U.S.  should  take  responsibility  for  its  clearly  justified  offensive  uses  of 
force  in  the  cyber  domain.  As  a  corollary,  it  should  vigorously  seek  to  prosecute  those 
who  compromise  its  anonymity  in  special  cases  where  national  interests  preclude  such 
open  acknowledgement.  Second,  to  protect  the  presumptive  legality  of  cyber 
espionage,  the  U.S.  should  not  blur  the  distinction  between  it  and  cyber  attack/defense 
by  allowing  functions  to  intermingle  too  closely  between  organizations.  Third,  the  U.S. 
should  draw  a  bright  line  as  to  its  invasiveness  tolerance  by  asserting  sovereignty  over 
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some  portions  of  the  cyber  domain.  Fourth,  the  use  of  active  defenses  is  the  most 
effective  means  of  asserting  and  protecting  these  U.S.  sovereignty  claims.  Fifth  and 
finally,  U.S.  reporting  of  active  defense  deployments  will  help  customary  international 
legal  norms  develop  more  quickly. 

The  cyber  domain  is  a  relatively  new  environment.  As  with  all  such  environments, 
a  certain  amount  of  discovery  learning  must  take  place.  However,  it  is  in  everyone’s 
interest  to  reduce  the  ambiguities  in  the  domain  as  quickly  as  possible  to  ensure  no  one 
blunders  into  war.  It  is  towards  this  aim  that  this  paper  directs  the  above 
recommendations.  One  hopes  the  phrase,  “Of  course,  you  realize,  this  means  war!”  will 
never  be  necessary  between  states.  However,  if  it  ever  is,  it  would  unspeakably  tragic  if 
the  alleged  offending  state  could  legitimately  disagree. 
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